Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33682

Please provide a "secure mode" for the MariaDB Client.

    XMLWordPrintable

Details

    • New Feature
    • Status: Open (View Workflow)
    • Critical
    • Resolution: Unresolved
    • None
    • Scripts & Clients
    • None

    Description

      Hi,

      this is a copy of an upstream bug: Bug#14328: Please provide a "secure mode" for the MySQL Client. I just tested and MariaDB 10.11.7 is affected. I guess most / all versions are affected.

      Thanks for looking into this,

      Jean-François Gagné

      It is relatively easy to break-out of a MySQL client to execute arbitrary commands in the "environment" where the cli is run (not on the server where mysqld is run), see How to repeat for examples. This makes providing a restricted environment / shell with the MySQL client very complicated because smart users can break-out of the restricted environment. It also makes executing SQL scripts potentially "dangerous" operations because such script can run arbitrary command.

      Some Unix commands which have a "break-out" risk provide a "secure mode" where the "break-out" features are disabled. An example is the LESSSECURE feature of less.

      Please consider implementing a "secure mode" in the MySQL client to reduce exploits leveraging unsafe commands / features of the cli.

      There is also an argument to be made that the MySQL client executing commands via arguments or stdout should be in secure mode by default (maybe only the interactive mode should be in unsafe mode by default).

      Note: executing an untrusted mysqldump was already identified as a problem in 2007 (more than 16 years ago !) in Bug#26941. I would claim that the general case of running an untrusted SQL script happens quite often: any schema upgrade script provided as part of a software upgrade (Wordpress, Graphana, ...) could qualify as such untrusted script.

      Below with MySQL 8.3.0, but the same applies to 8.0.36 (and MariaDB 10.11.7).

      The "pager" command in interactive mode allows running arbitrary command (I was not able to use this in non-interactive mode).

      dbdeployer deploy single mysql_8.3.0
      		 
       
      		 
      rm -f a_file; ./use; ls -l a_file 
       
      		 
      mysql [localhost:8300] {msandbox} ((none)) > pager touch a_file
      		 
      PAGER set to 'touch a_file'
      		 
      mysql [localhost:8300] {msandbox} ((none)) > select 1;
      		 
      1 row in set (0.01 sec)
      		 
       
      		 
      mysql [localhost:8300] {msandbox} ((none)) > exit
      		 
      Bye
      		 
      -rw-rw-r--. 1 jgagne jgagne 0 Mar 12 19:23 a_file

      The "system" command, even in non-interactive mode, allows running arbitrary command.

      f=a_file; rm -f $f; echo "system touch $f" | ./use; ls -l $f
      		 
      -rw-rw-r--. 1 jgagne jgagne 0 Mar 12 19:23 a_file

      Attachments

        Activity

          People

            Unassigned Unassigned
            jeanfrancois.gagne Jean-François Gagné
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.